[dave_universetf]

It sounds like your corporate tailnet checked the "override local DNS" setting and provided their own default nameservers, so those are the ones that get used. They could also not do that, at which point your LAN resolver would get consulted, but I presume there's a policy reason in play?

You say "the MagicDNS server" like it's a quad-8 thing out on the internet. That server lives in the tailscale process on localhost. In some configurations on some OSes, we do have to route requests through that in order to polyfill missing OS features (usually, implementing split-DNS policies that the OS cannot represent natively, or transparently upgrading to DoH for upstreams that support it). You can inspect the logic that decides how to implement DNS policy depending on the policy and OS in https://github.com/tailscale/tailscale/tree/main/net/dns, as well as inspect what the in-process DNS forwarder does (extremely boring: match query suffix in configuration, forward packet to appropriate upstreams).

[diegs]

Weird, I asked our TS admin to disable "override local DNS" and he claimed the option was disabled out, seemingly due to magic DNS being enabled or something. I'll see if I can get access myself to try and change it. Thank you for the reply!

[dave_universetf]

If things still aren't behaving, write in to support@tailscale.com and we'll sort you out. It sounds like the corporate setup wants to just push some custom DNS routes for specific suffixes and leave everything else alone, which is definitely a supported configuration.